GuardAPI Logo
GuardAPI

Fix Logic Flow Bypass in Feathers

FeathersJS service logic is dictated by the hook sequence. A Logic Flow Bypass occurs when developers assume 'params.provider' is the only way to distinguish external requests or when they fail to secure internal service calls that can be reached via nested service calls. Exploiting this allows attackers to skip validation, escalate privileges, or manipulate state machines by hitting internal-only hooks or bypassing conditional logic.

The Vulnerable Pattern

module.exports = {
  before: {
    patch: [
      async context => {
        // VULNERABILITY: Logic only executes if provider is REST/Socket.io
        // If an attacker triggers this via a custom hook or internal redirect,
        // or if the provider check is bypassed, the 'status' can be set to 'admin'.
        if (context.params.provider) {
          if (context.data.status === 'admin') {
            throw new Error('Prohibited');
          }
        }
      }
    ]
  }
};

The Secure Implementation

The vulnerability exists because the 'if (context.params.provider)' check creates an 'internal-only' bypass path that can be abused if the application logic allows external users to influence internal calls (e.g., through $populate or custom service methods). The fix involves: 1. Using 'discard' or 'preventChanges' from feathers-hooks-common to strip sensitive fields before they reach the service. 2. Removing conditional provider checks for security-critical logic. 3. Implementing strict RBAC that validates the 'context.params.user' object rather than relying on the transport layer's presence.

const { checkContext, preventChanges, discard } = require('feathers-hooks-common');
const { authenticate } = require('@feathersjs/authentication').hooks;

module.exports = {
before: {
all: [ authenticate(‘jwt’) ],
patch: [
// SECURE: Explicitly discard sensitive fields from external input
discard(‘status’, ‘role’),
// SECURE: Ensure logic runs regardless of provider, or use strict context checking
async context => {
const { user } = context.params;
if (context.data.internalFlag && user.role !== ‘admin’) {
throw new Error(‘Logic Flow Violation’);
}
}
]
}
};

System Alert • ID: 6029
Target: Feathers API
Potential Vulnerability

Your Feathers API might be exposed to Logic Flow Bypass

74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X